Generally, when I see a study come out that is performed by some group or institute for a player in the field that is being surveyed, I am often skeptical of the results. It is just hard for me to see the propriety in it.
However, in a recent study by the Ponemon Institute performed for PGP, I found myself shaking my head in disbelief for another reason: There is no way that nine percent of companies have a comprehensive encryption scheme.
I would say one in one thousand would be an exaggeration.
I must assume that the responding organizations' concept of a comprehensive encryption scheme and mine are far different. I believe that if you looked solely at whole disk encryption on laptops we would still be at a one in one hundred ratio. Once you figure in the other places that sensitive data can reside in an organization, I believe you will find that the ratio starts to really stretch out.
That's not to say that many organizations are not pursuing a larger role for the encryption of their data. I spoke with approximately fifty IT managers at an information management consortium meeting yesterday that had excellent questions and seemed to understand the necessity for the technology.
But ultimately it comes down to money, resources, political will, and urgency. The agenda for most organizations (from a security perspective) is dictated by perceived need or threat and the cost of action/inaction.
If you remember back to your economics class when your professor discussed the idea of an opportunity cost, it becomes directly relatable to security in a very quantifiable way. The necessity of urgency can easily be demonstrated on a daily basis by the number of organizations that lose data and spend more money on investigating the loss, damage control with their customers, and then performing some emergency encryption in an attempt to save face - when all they had to do was encrypt the data ahead of time and save themselves all of that drama (and possibly their jobs).
Make sure the people that own the pocketbooks of your company/agency understand the economics of data loss. If they believe you can afford to wait on data encryption, get them to put it in writing...